What is a PRF Attack ?
designed to manipulate 802.11 design flaws
Sends a flood of PR frames using MAC spoofing to
represent a large number of nodes scanning the
So what happens?
Serious performance degradation or prevent
legitimate users from accessing network
resources (DoS). DoS attacks are the most
To find an effective method to:
recognise rogue Probe Request frames,
and prevent an AP from triggering a Probe
2 2 6 6 6 2 6 Variable Variable 4
DA SA BSSID
MAC HEADER FRAME BODY CRC
2 2 4 1 1 1 1 1 1 1 1
Field Protocol Version Type
To DS From DS More Frag Retry
each request message sent by a STA
must be responded with a response
message sent by the AP.
Probe Request/Response frames are
Intel(R) PRO/Wireless LAN 2100 3B Mini
Test-AP (Access Point)
Intel® PRO/Wireless 2200BG
long-term secret key
MAC Frame Fields
Analysis of Sequence Number field.
Change Re-try limit
NIC Profiling & Signal Finger Printing
The future research
Keep a “Safe List” of known attributes and
give priority to “Safe List”.
Pattern Recognition of “Transactions” and
filter peculiar Probe Requests.
What is IEEE 802.11?
What is Probe Request & Response ?
What is a Probe Request Flooding Attack ?
So what happens?
Bicakci, K. and Tavli, B. (2009) Denial-of-Service attacks and countermeasures in IEEE
802.11 wireless networks, Computer Standards and Interfaces 31(5), pp931-941, [Online]
Available at http://www.sciencedirect.com [Accessed: 3rd October 2009].
Faria, D.B. and Cheriton, D.R. (2006) Detecting identity-based attacks in wireless networks
using signal prints, Proceedings of the 5th ACM workshop on Wireless security, Los Angeles,
California [Online] Available at http://0-delivery.acm.org [Accessed: 30 November 2009].
Liu, C. and Yu, J. (2008) Rogue access point based DoS attacks against 802.11 WLANs,
Fourth Advanced International Conference on Telecommunications, AICT '08., 8(13),
pp271-276, [Online] Available at: http://0-ieeexplore.ieee.org [Accessed: 10 October
Malekzadeh, M. et al. (2007) Security improvement for management frames in IEEE 802.11
wireless networks, International Journal of Computer Science and Network Security, IJCSNS
7(6) [Online] Available at: http://citeseerx.ist.psu.edu [Accessed: 2 February 2010].
Martinovic, I. et al. (2008) Wireless client puzzles in IEEE 802.11 networks: security by
wireless. In Proceedings of the First ACM Conference on Wireless Network Security, WiSec
'08, New York [Online] Available at: http://0-doi.acm.org [Accessed: 31 March 2010].
LMU PG Student Conference
12th Nov 2010